Officials at Vandenberg Air Force Base, Calif., have found a way to manage user privileges in an enterprise Windows environments while adhering to requirements for a standard desktop PC configuration mandated by the Air Force and the Office of Management and Budget.

The system lets users run specialized ' but authorized ' applications not included in the standard configuration without undue intervention by a system administrator.

The OMB requirements, based on similar initiatives by the Air Force, will require agencies to restrict administrator rights on all desktop computers. OMB is expanding on the work of the Air Force, Army, Defense Information Systems Agency, National Institute of Standards and Technology, National Security Agency and Homeland Security Department to develop a standard Windows configuration.

Early start

Vandenberg started to comply with the Air Force's standard desktop configuration in January. Before the move, base officials knew they had to develop a way to deploy desktop systems without administrative privileges while allowing users to run or install all authorized applications.

'Before this migration, there were certain groups of users that had administrative privileges on their machine so they could run these special applications,' said Mike De Bruin, senior systems engineer at RS Information Systems, an on-site contractor at Vandenberg, who manages user privileges for a squadron at the base.

The Air Force has many homegrown applications, he said. 'You have your standard apps like Microsoft Office, and there are a lot of customized applications [that] required administrative privileges to run,' he said.

De Bruin's squadron considered a couple of options before picking a solution that would let him manage 500 users and 450 desktop PCs. Currently, the standard desktop configuration environment is for Windows XP Service Pack 2.

One workaround would have required someone with administrative rights to log on to a user's computer and then personally monitor the situation while the user ran theapplication.

Another option would have required the administrator to log on to the user's computer from the administrative system and give the user rights for one session.

The administrator would not have to stand at the user's computer and monitor activity, but every time the user needed to use the application, the administrator would have to repeat the process, De Bruin said. If the user needed access to the application several times a day, that could become a cumbersome task.

One to many

Some squadrons on base are still opting for one of these scenarios. But De Bruin found the answer to his administrative rights dilemma in Privilege Manager software from BeyondTrust.

The squadron needed software that could work with Microsoft's Group Policy, a feature of Windows that helps the squadron achieve a standard desktop configuration.

Group Policy and the Active Directory services infrastructure in Windows Server 2003, for example, let IT administrators automate one-to-many management of users and computers. Administrators can efficiently implement security settings, enforce IT policies, and distribute software consistently across a given site, domain or range of organizational units.

Using Privilege Manager, administrators can download a small application onto users' desktops that integrates with Group Policy.

'You point it to the right application on the [user's] computer,' he said.The software lets IT administrators filter privileges in many different ways ' by times of day or specific computers, IP addresses, users or organizational units, De Bruin said. For example, 'I am able to get granular to make sure that the accounting people have admin rights for accounting applications' instead of users who should not have access, he said.

'Unless you get granular, you're just opening up security holes,' he said.